feat: add checkpoint uds-core slim package

.github/workflows/checkpoint.yaml

@@ -0,0 +1,65 @@
+name: Checkpoint UDS Core
+
+on:
+  pull_request: # TODO: TEMP @WSTARR
+    # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
+    types: [milestoned, opened, reopened, synchronize]
+  # triggered by tag-and-release.yaml
+  workflow_call:
+
+jobs:
+  publish-uds-core:
+    strategy:
+      matrix:
+        architecture: [amd64, arm64]
+    runs-on: ${{ matrix.architecture == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }}
+    name: Publish checkpoint
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write  # This is needed for OIDC federation.
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
+
+      - name: Deploy K3d + UDS Core Slim Bundle
+        run: |
+          uds run -f tasks/deploy.yaml latest-slim-bundle-release --no-progress
+
+      - name: Create Checkpoint Package
+        run: |
+          uds run -f tasks/create.yaml checkpoint-dev-package --no-progress
+
+      - name: Test Checkpoint Package
+        run: |
+          uds run -f tasks/deploy.yaml checkpoint-package --no-progress
+          npm ci
+          uds run test:slim-dev --no-progress
+
+      - name: Debug Output
+        if: always()
+        uses: ./.github/actions/debug-output
+
+      # - name: Publish Checkpoint Package
+      #   run: uds run -f tasks/publish.yaml checkpoint-package --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -${{ matrix.architecture }}
+
+      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: checkpoint-pkg-${{ matrix.architecture }}
+          path: |
+            build/zarf-package-k3d-core-slim-dev-${{ matrix.architecture }}-0.28.0.tar.zst

.github/workflows/slim-dev-test.yaml

@@ -52,6 +52,8 @@ jobs:
         uses: ./.github/actions/setup
       - name: Deploy Slim Dev Bundle
         run: uds run slim-dev --no-progress
+      - name: Test Slim Dev Bundle
+        run: uds run test:slim-dev --no-progress
       - name: Debug Output
         if: ${{ always() }}
         uses: ./.github/actions/debug-output

.github/workflows/tag-and-release.yaml

@@ -32,3 +32,12 @@ jobs:
     with:
       snapshot: false
     secrets: inherit
+
+  checkpoint-uds-core-release:
+    needs: publish-uds-core-release
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    uses: ./.github/workflows/checkpoint.yaml
+    secrets: inherit

.gitignore

@@ -18,4 +18,7 @@ extract-terraform.sh
 **/.terraform*
 cluster-config.yaml
 **.tfstate
+
+packages/checkpoint-dev/uds-checkpoint.tar
+
 **.backup

packages/checkpoint-dev/README.md

@@ -0,0 +1,31 @@
+# K3d + UDS Core Slim Dev Checkpoint
+
+This is a special Zarf package that takes a running K3d cluster (named `uds`) and wraps its committed container and volumes into a zarf package.
+
+## Creating this package
+
+In order to create this package you must follow the following:
+
+1. Setup a K3d cluster (named `uds`) containing the contents you'd like to checkpoint
+
+> [!NOTE]
+> The intent for this package is that those contents are the `uds dev stack`, `zarf init` and `uds core slim`
+
+2. Run `uds zarf package create <path-to-zarf-yaml> --confirm` on the Zarf Package in this directory
+
+> [!IMPORTANT]
+> This package requires `sudo` to create and deploy currently - if you see a prompt and it seems stalled it is waiting for password input (hidden by the spinner)
+
+## Deploying this package
+
+Once you have a package with the contents you want created you can deploy it with:
+
+```
+uds zarf package deploy <path-to-zarf-tarball> --confirm
+```
+
+> [!IMPORTANT]
+> This package requires `sudo` to deploy and create currently - if you see a prompt and it seems stalled it is waiting for password input (hidden by the spinner)
+
+> [!NOTE]
+> The pre-reqs for this package are the same as `uds-k3d` and you do not need to have a cluster running prior to deploying it.

packages/checkpoint-dev/checkpoint.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Name of the running k3d container
+K3S_CONTAINER="k3d-uds-server-0"
+
+if [ -z "$TMPDIR" ]; then
+    #  macOS sets TMPDIR to a user temp directory - this also provides more options to linux
+    TMPDIR="/tmp"
+fi
+DATA_DIR="${TMPDIR}/uds-checkpoint-data"
+
+# Step 0: Ensure we can get sudo
+echo "This package requires elevated permissions to create - requesting sudo (if paused enter password)"
+sudo echo "got sudo! success!"
+
+# Step 1: Get the container ID of the running k3d container
+CONTAINER_ID=$(docker ps -qf "name=$K3S_CONTAINER")
+
+if [ -z "$CONTAINER_ID" ]; then
+    echo "No running container found for $K3S_CONTAINER"
+    exit 1
+fi
+
+# Step 2: Get the mounted volumes of the running container
+echo "Inspecting container volumes for $CONTAINER_ID..."
+VOLUMES=$(docker inspect -f '{{ json .Mounts }}' "$CONTAINER_ID" | jq)
+
+# Step 3: Prepare directories to save the volume data
+sudo rm -rf "$DATA_DIR"
+mkdir -p "${DATA_DIR}/kubelet_data" "${DATA_DIR}/k3s_data"
+
+# Step 4: Loop through volumes and copy data to corresponding directories
+echo "Copying volumes to local directories..."
+
+for row in $(echo "$VOLUMES" | jq -r '.[] | @base64'); do
+    _jq() {
+        echo "${row}" | base64 --decode | jq -r "${1}"
+    }
+
+    SOURCE=$(_jq '.Source')
+    DESTINATION=$(_jq '.Destination')
+
+    case "$DESTINATION" in
+        "/var/lib/kubelet")
+            echo "Copying $SOURCE to ${DATA_DIR}/kubelet_data/"
+            sudo cp -a "$SOURCE"/. "${DATA_DIR}/kubelet_data/"
+            ;;
+        "/var/lib/rancher/k3s")
+            echo "Copying $SOURCE to ${DATA_DIR}/k3s_data/"
+            sudo cp -a "$SOURCE"/. "${DATA_DIR}/k3s_data/"
+            ;;
+        *)
+            echo "$DESTINATION is not needed. Skipping..."
+            ;;
+    esac
+done
+
+# Step 5: Commit and save the current container as a new image
+IMAGE_NAME="ghcr.io/defenseunicorns/uds-core/checkpoint:latest"
+echo "Committing container $CONTAINER_ID to image $IMAGE_NAME:latest..."
+docker commit -p "$CONTAINER_ID" "$IMAGE_NAME"
+
+echo "Saving image to ${DATA_DIR}/uds-k3d-checkpoint-latest.tar..."
+sudo docker save -o "${DATA_DIR}/uds-k3d-checkpoint-latest.tar" "$IMAGE_NAME"
+
+echo "Container image saved to ${DATA_DIR}/uds-k3d-checkpoint-latest.tar"
+
+# Step 6: Create a tarball from the data contents
+echo "Creating a final tarball to include in the package"
+sudo tar --blocking-factor=64 -cpf uds-checkpoint.tar -C "$DATA_DIR" .
+
+echo "Successfully checkpointed the cluster!"
+
+exit 0

packages/checkpoint-dev/zarf.yaml

@@ -0,0 +1,96 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+
+kind: ZarfPackageConfig
+metadata:
+  name: k3d-core-slim-dev
+  description: "Rehydratable UDS K3d + UDS Core Slim (Istio, UDS Operator and Keycloak) Checkpoint"
+  authors: "Defense Unicorns - Product"
+  # x-release-please-start-version
+  version: "0.28.0"
+  # x-release-please-end
+
+variables:
+  - name: CLUSTER_NAME
+    description: "Name of the cluster"
+    default: "uds"
+
+  - name: K3D_EXTRA_ARGS
+    description: "Optionally pass k3d arguments to the default"
+    default: ""
+
+  - name: NGINX_EXTRA_PORTS
+    description: "Optionally allow more ports through Nginx (combine with K3D_EXTRA_ARGS '-p <port>:<port>@server:*')"
+    default: "[]"
+
+components:
+  - name: destroy-cluster
+    required: true
+    description: "Optionally destroy the cluster before creating it"
+    actions:
+      onDeploy:
+        before:
+          - cmd: |
+              echo "This package requires elevated permissions to deploy - requesting sudo (if paused enter password)"
+              sudo echo "got sudo! success!"
+          - cmd: k3d cluster delete ${ZARF_VAR_CLUSTER_NAME}
+            description: "Destroy the cluster"
+          - cmd: |
+              sudo rm -rf data
+
+  - name: create-cluster
+    required: true
+    description: "Create the K3d cluster w/UDS Core pre-installed"
+    files:
+      - source: uds-checkpoint.tar
+        target: uds-checkpoint.tar
+    actions:
+      onCreate:
+        before:
+          - cmd: ./checkpoint.sh
+        onSuccess:
+          - cmd: |
+              if [ -z "$TMPDIR" ]; then
+                #  macOS sets TMPDIR to a user temp directory - this also provides more options to linux
+                TMPDIR="/tmp"
+              fi
+              DATA_DIR="${TMPDIR}/uds-checkpoint-data"
+              sudo rm -rf "$DATA_DIR" uds-checkpoint.tar
+      onDeploy:
+        after:
+          - cmd: |
+              if [ -z "$TMPDIR" ]; then
+                #  macOS sets TMPDIR to a user temp directory - this also provides more options to linux
+                TMPDIR="/tmp"
+              fi
+              DATA_DIR="${TMPDIR}/uds-checkpoint-data"
+              mkdir -p "$DATA_DIR"
+
+              sudo tar --blocking-factor=64 -xpf uds-checkpoint.tar -C "$DATA_DIR"
+              K8S_TOKEN="$(sudo cat ${DATA_DIR}/k3s_data/server/token)"
+              echo $K8S_TOKEN
+              sudo docker load -i "${DATA_DIR}/uds-k3d-checkpoint-latest.tar"
+
+              k3d cluster create \
+                -p "80:80@server:*" \
+                -p "443:443@server:*" \
+                --api-port 6550 \
+                --k3s-arg "--disable=traefik@server:*" \
+                --k3s-arg "--disable=metrics-server@server:*" \
+                --k3s-arg "--disable=servicelb@server:*" \
+                --k3s-arg "--disable=local-storage@server:*" \
+                --k3s-arg "--token=${K8S_TOKEN}@server:*" \
+                -v "${DATA_DIR}/kubelet_data:/var/lib/kubelet@server:*" \
+                -v "${DATA_DIR}/k3s_data:/var/lib/rancher/k3s@server:*" \
+                --image ghcr.io/defenseunicorns/uds-core/checkpoint:latest ${ZARF_VAR_K3D_EXTRA_ARGS} \
+                ${ZARF_VAR_CLUSTER_NAME}
+            description: "Create the cluster"
+          # This action waits on Keycloak since it is the slowest pod to start after cluster creation. By waiting on it, we guarantee the cluster is healthy and usable after deployment.
+          - description: Keycloak to be Healthy
+            wait:
+              cluster:
+                kind: Pod
+                name: app.kubernetes.io/name=keycloak
+                namespace: keycloak
+                condition: Ready
+        onSuccess:
+          - cmd: rm -f uds-checkpoint.tar

src/istio/tasks.yaml

@@ -24,3 +24,19 @@ tasks:
             kind: Gateway
             name: tenant-gateway
             namespace: istio-tenant-gateway
+
+  - name: validate-slim
+    actions:
+      - description: Validate the Istio Admin Gateway
+        wait:
+          cluster:
+            kind: Gateway
+            name: admin-gateway
+            namespace: istio-admin-gateway
+
+      - description: Validate the Istio Tenant Gateway
+        wait:
+          cluster:
+            kind: Gateway
+            name: tenant-gateway
+            namespace: istio-tenant-gateway

tasks/create.yaml

@@ -46,6 +46,12 @@ tasks:
       - description: "Create the slim dev bundle (Base and Identity)"
         cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}"
 
+  - name: checkpoint-dev-package
+    description: "Create the K3d + UDS Core Checkpoint Zarf Package"
+    actions:
+      - description: "Create the UDS Core Checkpoint Zarf Package"
+        cmd: "uds zarf package create packages/checkpoint-dev --confirm --no-progress --skip-sbom"
+
   # This task is a wrapper to support --set LAYER=identity-authorization
   - name: single-layer-callable
     actions:

tasks/deploy.yaml

@@ -59,7 +59,17 @@ tasks:
       - description: "Deploy the latest UDS Core package release"
         cmd: uds zarf package deploy oci://${TARGET_REPO}/core:${LATEST_VERSION} --confirm --no-progress --components '*'
 
+  - name: latest-slim-bundle-release
+    actions:
+      - description: "Deploy the latest UDS Core package release"
+        cmd: uds deploy oci://ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-slim-dev:latest --set INSECURE_ADMIN_PASSWORD_GENERATION=true --confirm --no-progress
+
   - name: standard-package
     actions:
       - description: "Deploy the standard UDS Core zarf package"
         cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*'
+
+  - name: checkpoint-package
+    actions:
+      - description: "Deploy the checkpoint K3d + UDS Core Slim zarf package"
+        cmd: uds zarf package deploy build/zarf-package-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress

tasks/publish.yaml

@@ -41,6 +41,13 @@ tasks:
              uds zarf tools registry copy ${pkgPath}:${VERSION}-${FLAVOR} ${pkgPath}:latest-${FLAVOR}
           fi
 
+  - name: checkpoint-package
+    description: "Publish the UDS checkpoint package"
+    actions:
+      - description: "Publish the checkpoint package for the current UDS_ARCH"
+        cmd: |
+          uds zarf package publish build/zarf-package-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst oci://ghcr.io/defenseunicorns/dev/uds/checkpoints/k3d-core-slim-dev
+
   - name: bundles
     description: "Publish UDS Bundles"
     actions:

tasks/test.yaml

@@ -7,6 +7,9 @@ includes:
   - setup: ./setup.yaml
   - deploy: ./deploy.yaml
   - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/compliance.yaml
+  - istio: ../src/istio/tasks.yaml
+  - keycloak: ../src/keycloak/tasks.yaml
+  - pepr: ../src/pepr/tasks.yaml
   - base-layer: ../packages/base/tasks.yaml
 
 tasks:
@@ -93,3 +96,10 @@ tasks:
         with:
           assessment_results: ./compliance/oscal-assessment-results.yaml
           options: -t il4
+
+  - name: slim-dev
+    description: "Run validate for the components contained in the slim dev bundle"
+    actions:
+      - task: istio:validate-slim
+      - task: keycloak:validate
+      - task: pepr:validate